Update Trivy scan workflows (#676)

.github/actions/setup-oras-1.2.1/.github/dependabot.yml

@@ -0,0 +1,30 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+version: 2
+
+updates:
+  - package-ecosystem: "github-actions"
+    # Workflow files stored in the
+    # default location of `.github/workflows`
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"

.github/actions/setup-oras-1.2.1/.github/licenserc.yml

@@ -0,0 +1,42 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+header:
+  license:
+    spdx-id: Apache-2.0
+    content: |
+      Copyright The ORAS Authors.
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+
+  paths-ignore:
+    - '**/*.json'
+    - '**/*.md'
+    - 'dist/**'
+    - 'CODEOWNERS'
+    - 'LICENSE'
+
+  comment: on-failure
+
+dependency:
+  files:
+    - package.json

.github/actions/setup-oras-1.2.1/.github/workflows/check-dist.yml

@@ -0,0 +1,47 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Check dist/
+
+on:
+  push:
+    paths-ignore:
+      - '**.md'
+  pull_request:
+    paths-ignore:
+      - '**.md'
+  workflow_dispatch:
+
+jobs:
+  check-dist:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: remove js files in dist/
+        run: find dist/ -type f \( -name "*.json" -o -name "*.js" -o -name "*.js.map" \) -delete
+      - name: Setup Node 16.x
+        uses: actions/setup-node@v4
+        with:
+          node-version: 16.x
+          cache: npm
+      - name: Install dependencies
+        run: npm install
+      - name: Rebuild the dist/ directory
+        run: npm run build
+      - name: Compare the expected and actual dist/ directories
+        run: |
+          if [ "$(git diff --ignore-space-at-eol dist/ | wc -l)" -gt "0" ]; then
+            echo "DIFFERENCES DETECTED: 'npm run build' is needed after code changes. See status below:"
+            git diff
+            exit 1
+          fi

.github/actions/setup-oras-1.2.1/.github/workflows/license-checker.yml

@@ -0,0 +1,44 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: License Checker
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-license:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Check license header
+        uses: apache/skywalking-eyes/header@v0.6.0
+        with:
+          mode: check
+          config: .github/licenserc.yml
+      - name: Check dependencies license
+        uses: apache/skywalking-eyes/dependency@v0.6.0
+        with:
+          config: .github/licenserc.yml

.github/actions/setup-oras-1.2.1/.github/workflows/test.yml

@@ -0,0 +1,136 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Tests
+
+on:
+  push:
+    branches:
+      - main
+      - release-*
+  pull_request:
+    branches:
+      - main
+      - release-*
+
+defaults:
+  run:
+    shell: bash
+
+jobs:
+  test-basic-setup:
+    name: Test Setup ORAS CLI
+    runs-on: ${{ matrix.os }}
+    strategy:
+      matrix:
+        os: [macos-latest, windows-latest, ubuntu-latest]
+        version:
+          - 1.1.0
+          - 1.2.0
+      fail-fast: true
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup ORAS v${{ matrix.version }}
+      uses: ./
+      with:
+        version: ${{ matrix.version }}
+
+    - name: Verify ORAS version installed
+      env:
+        ORAS_VERSION_EXPECTED: ${{ matrix.version }}
+      run: |
+        echo ---
+        oras version
+        echo ---
+        read -ra ORAS_VERSION_INSTALLED <<<$(oras version)
+        [ "${ORAS_VERSION_INSTALLED[1]}" == "$ORAS_VERSION_EXPECTED" ]
+
+  create-test-variables:
+    runs-on: ubuntu-latest
+    outputs:
+      url: ${{ steps.get-checksum-url.outputs.URL }}
+      checksum: ${{ steps.get-checksum-url.outputs.CHECKSUM }}
+    steps:
+      - id: checkout
+        uses: actions/checkout@v4
+      - id: get-checksum-url
+        run: |
+          RELEASE=$(jq -r 'keys_unsorted[0] as $k | .[$k].linux.amd64' src/lib/data/releases.json)
+          echo "CHECKSUM=$(echo $RELEASE | jq -r '.checksum')" >> "$GITHUB_OUTPUT"
+          echo "URL=$(echo $RELEASE | jq -r '.url')" >> "$GITHUB_OUTPUT"
+
+  test-custom-url:
+    name: Test Setup using URL
+    runs-on: ubuntu-latest
+    needs: create-test-variables
+    steps:
+    - name: Checkout
+      uses: actions/checkout@v4
+
+    - name: Setup ORAS using URL
+      uses: ./
+      with:
+        url: ${{ needs.create-test-variables.outputs.url }}
+        checksum: ${{ needs.create-test-variables.outputs.checksum }}
+
+    - name: Setup ORAS using URL without checksum
+      id: no-checksum
+      continue-on-error: true
+      uses: ./
+      with:
+        url: ${{ needs.create-test-variables.outputs.url }}
+    - name: 'Should Fail: Setup ORAS using URL without checksum'
+      if: steps.no-checksum.outcome != 'failure'
+      run: |
+        echo "Setup ORAS using URL without checksum should fail, but succeeded."
+        exit 1
+    
+    - name: Setup ORAS using checksum without url
+      id: no-url
+      continue-on-error: true
+      uses: ./
+      with:
+        checksum: ${{ needs.create-test-variables.outputs.checksum }}
+    - name: 'Should Fail: Setup ORAS using checksum without url'
+      if: steps.no-url.outcome != 'failure'
+      run: |
+        echo "Setup ORAS using checksum without url should fail, but succeeded."
+        exit 1
+    
+    - name: Setup ORAS using URL and invalid checksum
+      id: invalid-checksum
+      continue-on-error: true
+      uses: ./
+      with:
+        url: ${{ needs.create-test-variables.outputs.url }}
+        checksum: abcedf
+    - name: 'Should Fail: Setup ORAS using URL and invalid checksum'
+      if: steps.invalid-checksum.outcome != 'failure'
+      run: |
+        echo "Setup ORAS using URL and invalid checksum should fail, but succeeded."
+        exit 1
+    
+    - name: Setup ORAS using invalid URL
+      id: invalid-url
+      continue-on-error: true
+      uses: ./
+      with:
+        url: invalid-url
+        checksum: test
+    - name: 'Should Fail: Setup ORAS using invalid URL'
+      if: steps.invalid-url.outcome != 'failure'
+      run: |
+        echo "Setup ORAS using invalid URL should fail, but succeeded."
+        exit 1

.github/actions/setup-oras-1.2.1/.github/workflows/update-version.yml

@@ -0,0 +1,61 @@
+# Copyright The ORAS Authors.
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Update major and minor tags
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  update-major-minor-tags:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.release.tag_name }}
+      - name: Git config
+        run: |
+          git config user.name github-actions
+          git config user.email github-actions@github.com
+      - name: Tag and push new major and minor versions
+        run: | 
+          VERSION=${{ github.event.release.tag_name }}
+          MAJOR=$(echo ${VERSION} | cut -d '.' -f 1)
+          MINOR=${MAJOR}.$(echo ${VERSION} | cut -d '.' -f 2)
+          if [ -z ${VERSION} ]
+          then
+            echo "released tag cannot be empty"
+            exit 1
+          else
+            echo "released tag is ${VERSION}"
+          fi
+          if [ -z ${MAJOR} ]
+          then
+            echo "major tag cannot be empty"
+            exit 1
+          else
+            echo "major tag is ${MAJOR}"
+          fi
+          if [ -z ${MINOR} ]
+          then
+            echo "minor tag cannot be empty"
+            exit 1
+          else
+            echo "minor tag is ${MINOR}"
+          fi
+          git tag -f ${MAJOR} ${VERSION}
+          git tag -f ${MINOR} ${VERSION}
+          git push origin ${MAJOR} --force
+          git push origin ${MINOR} --force